X.509v3
==========================================================

`RFC5280 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile <https://tools.ietf.org/html/rfc5280>`_

`wiki X.509 <https://en.wikipedia.org/wiki/X.509>`_

`How to generate x509v3 Extensions in the End user certificate  <https://access.redhat.com/solutions/28965>`_

Root Certificate, Intermediate certificate, End-entity certificate

Certificate
----------------------------------------------------

.. code-block::

    Certificate  ::=  SEQUENCE  {
            tbsCertificate       TBSCertificate,
            signatureAlgorithm   AlgorithmIdentifier,
            signatureValue       BIT STRING  }

       TBSCertificate  ::=  SEQUENCE  {
            version         [0]  EXPLICIT Version DEFAULT v1,
            serialNumber         CertificateSerialNumber,
            signature            AlgorithmIdentifier,
            issuer               Name,
            validity             Validity,
            subject              Name,
            subjectPublicKeyInfo SubjectPublicKeyInfo,
            issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
                                 -- If present, version MUST be v2 or v3
                                  subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
                                 -- If present, version MUST be v2 or v3
            extensions      [3]  EXPLICIT Extensions OPTIONAL
                                 -- If present, version MUST be v3
            }

       Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }

       CertificateSerialNumber  ::=  INTEGER

       Validity ::= SEQUENCE {
        notBefore      Time,
        notAfter       Time }

       Time ::= CHOICE {
            utcTime        UTCTime,
            generalTime    GeneralizedTime }

       UniqueIdentifier  ::=  BIT STRING

       SubjectPublicKeyInfo  ::=  SEQUENCE  {
            algorithm            AlgorithmIdentifier,
            subjectPublicKey     BIT STRING  }

       Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension

       Extension  ::=  SEQUENCE  {
            extnID      OBJECT IDENTIFIER,
            critical    BOOLEAN DEFAULT FALSE,
            extnValue   OCTET STRING
                        -- contains the DER encoding of an ASN.1 value
                        -- corresponding to the extension type identified
                        -- by extnID
            }

CRL
----------------------------------------------------

.. code-block::

    CertificateList  ::=  SEQUENCE  {
            tbsCertList          TBSCertList,
            signatureAlgorithm   AlgorithmIdentifier,
            signatureValue       BIT STRING  }

       TBSCertList  ::=  SEQUENCE  {
            version                 Version OPTIONAL,
                                         -- if present, MUST be v2
            signature               AlgorithmIdentifier,
            issuer                  Name,
            thisUpdate              Time,
            nextUpdate              Time OPTIONAL,
            revokedCertificates     SEQUENCE OF SEQUENCE  {
                 userCertificate         CertificateSerialNumber,
                 revocationDate          Time,
                 crlEntryExtensions      Extensions OPTIONAL
                                          -- if present, version MUST be v2
                                      }  OPTIONAL,
            crlExtensions           [0]  EXPLICIT Extensions OPTIONAL
                                          -- if present, version MUST be v2
                                      }


doc
----

- `key usage <https://ldapwiki.com/wiki/KeyUsage>`_
- `Specifying Distinguished Names <https://www.cryptosys.net/pki/manpki/pki_distnames.html>`_
- `Class KeyUsage <http://rcardon.free.fr/websign/download/api-x509-ext/be/cardon/asn1/x509/extensions/KeyUsage.html>`_